GDPR and email marketing - Planning for the future

Before we launch into how to plan for the future of your email marketing in a post-GDPR world, let's quickly take stock of everything we've learnt so far.

1. You should carry out an audit of all your data so you know what information you hold, where it comes from and how you use it.
2. You can continue to email existing contacts in your database providing they have been a previous customer, you have been sending emails to them regularly with a regular pattern, they have been given a clear opportunity to opt-out and they have engaged with your emails within the last two years. You must also have carried out the written balancing exercise allowing you to rely on your legitimate interests as a business.
3. In a B2B setting, suspects or expired prospects should be removed from your database and you should no longer communicate with them through email marketing until such a time as they give you consent to do so through new communications initiated by them.
4. Your email marketing focus should be on creating quality email marketing campaigns and programmes rather than on the size of your list and the number of emails you send.

So, as you can see, we have focussed on what you do with the data you already have not the data you'll be collecting in the future. The key point here is you will need explicit consent (that must be clear, positive and transparent) in order to send your email marketing campaigns to new subscribers or customers.

We've been asked the following question by a number of our clients:

‍"Do I need to show a customer has checked a 'tick box' in every case to add them to my database? For example I have a sign-up box on my website that clearly says 'Sign-up here to receive our marketing updates direct to your inbox'. The only field is to enter the email address, and if they don't want to be contacted, they don't have to subscribe."

‍Here's what the legal team at Stephens Scown told us:

‍"Explicit consent is needed: it must be clear, positive and transparent.

‍"Alongside this, demonstrable positive action is required. For instance, the contact must have taken a positive step to indicate they want to subscribe. You cannot, for example, run an opt-out system. How you get explicit consent really depends on how you are collecting the data and what you are using it for."

‍From a practical point of view, and for a  simple 'enews sign-up' box on a website, this means that if you make it clear and transparent what the subscriber will receive and how frequently they will receive it, at the point they enter their email address, there is no need for an additional 'tick box' to confirm subscription. The granular detail of data collection can be contained in a Privacy Policy, but the general detail of 'what and when' should be clearly visible above the form, and in the same size and style of font as the rest of your site (so no more hiding it in the small print).

We're well aware this could detract from the beautiful looking sign up form you currently have on your website. Our advice here is, if there is limited space on your website in which to add this text, consider swapping the enews subscription box for a 'Call To Action', which links to a landing page where the form is contained, with the details of how the data will be used. You could also include a preference centre on this page which allows the subscriber to tell you exactly what they want to hear about and enables you to ensure you're sending out the right message to the right people. Automated emails can be used on successful submission of the form, as long as it is clear this will happen before they subscribe.

If a subscriber is using a contact form, entering a prize draw or making a purchase, best practice dictates that moving forwards, there should be an addition of a 'tick box' (definitely not unchecking a prefilled box) to confirm they would like to receive email marketing with details of content and frequency.

Finally, with many fear-mongering articles out there warning of fines up to €20 million (or 4% of worldwide turnover, whichever is higher) for non-compliance, another big worry many people have for the future is what will happen if they continue sending emails to subscribers who they can't prove have checked a box to give consent to receiving email marketing.

The key thing to remember here is most people will already be compliant, or near compliant if they have been operating best practices under the DPA, and in line with the current Privacy and Electronic Communications Regulations. However, everyone should be checking and verifying their own position and taking steps to rectify highlighted areas, which is not just permission, but also storage and transmission of data, as well as passwords and access.

In short, if you think you're sailing close to the wind, then you probably are!

‍In summary...

• For future sign ups and data collection you need to ensure the subscriber gives explicit consent that is clear, positive and transparent.
• There's no need for additional 'tick boxes' on your 'enews sign up' box, providing you include details of what the subscriber will be receiving and how frequently they'll be getting it.
• If a subscriber is using a contact form, entering a prize draw or making a purchase, then you should include an additional 'tick box' they have to check to confirm they would like to receive marketing emails from you.